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Abstract 
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, The security of quantum exam [Phys. Lett. A 350 (2006) 174] is analyzed and it is 

<y ' found that this protocol is secure for any eavesdropper except for the "students" 

who take part in the exam. Specifically, any student can steal other examinees' 



o 



, solutions and then cheat in the exam. Furthermore, a possible improvement of this 

^ I protocol is presented. 
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Cryptography is the approach to assure the secrecy of the data which is stored 
or communicated in public environment. From its beginning the research of 
■ cryptography has been progressed along two directions in parallel. One direc- 

^ tion deals with the design of various schemes to maintain privacy. The other 

is focused on analyzing the security of existing protocols, trying to find the 
flaws in cryptosystems and improve them. Both directions are necessary to 
the development of cryptography. It is also the case in quantum cryptogra- 
phy [1,2,3], where the work of both scheme designing (e.g. [4] and references 
therein) and security analyzing (e.g. [5,6,7,8]) is continually proposed. 

In a recent paper [9] a novel protocol called quantum exam was proposed. In 
this protocol a teacher Alice wants to organize an exam with her remotely 
separated students Bob 1, Bob 2, ... and Bob A^. As in a classical exam, 
all the problems and Bobs' solutions should not be leaked out and, more 
importantly, any Bob cannot obtain other examinees' solutions. However, we 
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find that the later confidentiahty constraint is not perfectly satisfied. That is, 
a dishonest Bob can cheating in the exam. In this Letter we demonstrate this 
hidden trouble and then present a possible improvement of the quantum exam 
protocol. 

Let us introduce the quantum exam first. In fact there are two similar quantum 
exam protocols presented in Ref.[9]. We will take the first one (i.e., the so-called 
absolutely secure protocol) as our example. For simplicity we use the same 
notations as that in Ref . [9] . The whole protocol is a httle comphcated and here 
we only describe briefly the related part, that is, the solution-collecting part 
(including the entanglement-sharing process). In this stage Alice generates a 
large enough number of ordered nonidentical states 



\^p)aplp...Np — ^(|0SlpS2p...SjVp)aplp...Afp + 1 1 Sip ^2^ • • •■SAfp )aplp...Afp) , (l) 

where s^^ = or 1, VI < n < TV, and = © 1 (© denotes an addition 
mod 2). Note that the value of s„p is known only to Alice. For each Alice 
stores qubit ttp and sends qubits Ip, 2p, Np to Bob 1, Bob 2, Bob A^, 
respectively. Afterwards, Alice selects a subset of the entangled states {|$/)} 
to detect eavesdropping. More concretely, for each |$;), Alice measures the 
qubit ai randomly in the basis Bz or and informs every Bob to perform the 
same measurement on his corresponding qubit. Then they check the security 
of the entanglement distribution process by verifying 

for every n = 1,2, N (when B^ was used) or 



N 



'at 



n=l 



(3) 



(when Bx was used), where j represents the measurement result, jaiUni) ~ 
{0,1} corresponding to obtaining {|0), |1)} and ja^Uni) — l+l)"!} corre- 
sponding to obtaining {|+), |— )}• If there is no eavesdropping detected, the 
shared entanglement can be used for solution-collecting some time later. When 
needed, Alice and Bobs measure the remaining ordered |$p)-states {\^m)amim...Nm} 
in basis B^ and record the outcomes as the secure keys. Let {Ja^} and {j^^} 
denote the keys belonging to Ahce and Bob n, respectively. Every Bob uses his 
key as a one-time-pad to encrypt his solution and sends it to Alice. With the 
knowledge of j^^ and Alice can obtain each Bob's key [see Eq.(2)]. Con- 
sequently, at the end of the exam Alice will correctly decrypt Bobs' messages 
and obtain every Bob's solution. 
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It can be seen that the sohition-collecting process comprises mainly a multi- 
partite quantum key distribution (MQKD) scheme. Because the one-time-pad 
is perfectly secure here, the security of the whole process lies on that of the 
key distribution. As we know, the state \^p)apip...Np has a property of positive 
parity, i.e., japYln=ijnp — +1- This wonderful property is subtly employed 
to detect eavesdropping in the quantum exam protocol [see Eq.(3)]. As a re- 
sult, the two constraints Eqs.(2) and (3) can make the exam secure against 
various kinds of attacks [9]. However, we take notice of another property of 
\^p)apip...Np, that is, one can entangle an ancilla |0) into the multipartite en- 
tangled state by a controUed-NOT (CNOT) operation and then disentangle it 
out from the obtained state by another CNOT operation. The control qubits 
of the two CNOT operations can be any two qubits in \^p)apip...Np and the 
target is the ancilla. For example, for a certain p, the multipartite entangled 
state and the ancilla compose a composite system 



|r)' = |$)al...iv|0)g = ;^(|0SiS2-Sjv)al...iv|0)5+ |lSlS2...SAr)„l...iv|0)g),(4) 

where the subscript g represents the ancilla. If one performs a CNOT operation 
Ckg (the first subscript k denotes the control qubit and the second one g 
denotes the target qubit) on the qubit k {1 < k < N) and the ancilla, the 
state of the system changes into 



|r)^ = -^{\0SiS2...SN)al...N\Sk)g + | IS1S2. . .Siv)al...Af | Sfc)g) • (5) 

Now if one performs another CNOT operation Crg on the qubit r {1 < r < N) 
and the ancilla, he (she) will obtain 



|r)^ = -^{\0SiS2...SN)al...N\Sk © Sr)g + | lSlS2- •■Siv)al...Ar| -Sfc © Sr)g) 

= -^{\0SiS2...SN)al...N\Sk © Sr) g + | lSiS2...SAr)al...Ar| Sjfc © Sr)g) 

= |$)al...7v|Sfc © ■Sr)a- (6) 

It can be seen that the ancilla is disentangled out from the multipartite en- 
tangled state and, more importantly, the original state \^)ai...N is left alone. 
As a result, if an eavesdropper Eve utilizes the above operations to eavesdrop, 
she will introduce no errors. Furthermore, when Eve measures the ancilla in 
basis Bz she will obtain Sk © Sr definitely. Since the value Sk © Sr implies, as 
described as following, the correlation of the measurement results of qubits k 
and r, we call the state \^)ai...N "correlation elicitable". It can be shown that 
this property gives a dishonest Bob the chance to cheat in the exam. Without 
loss of generahty, suppose the dishonest student is Bob r and he wants to steal 
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Bob /c's solution (maybe Bob k is an outstanding student), he can adopt the 
following strategy to achieve his goal. 

(i) For each p, Bob r prepares an ancilla |0) and performs two CNOT opera- 
tions CkpQp and CrpQp as described above when Alice distributes the multipar- 
tite entangled states {\%)apip...Np}- 

(ii) Bob r measures each ancilla in basis and obtains Skp(BSrp with certainty. 

(iii) Cooperating with Alice, Bob r executes the legal process to detect eaves- 
dropping and get key bits. After the actions (i) and (ii), as analyzed above, 
all the carrier states {\^p)apip...Np} remain unchanged and no disturbance is 
introduced. Therefore, Alice cannot detect the eavesdropping and Bob r will 
correctly obtain the intended key bits {j^^}- 

(iv) Bob r gains Bob /c's key bits {j^,^} by simple calculation. More specifically. 
Bob r deletes the data corresponding to the check states {|$«)} from the 
bits {skp ® Srp}, and obtains the remaining ordered bits {sk^ © •^r^}, which 
correspond to the carrier states {|$m)a,„i™...iv^} and the key bits {jr^}- It 
should be emphasized that, for a certain m, the measurement outcomes of the 
ancilla Sk^(BSr^ implies the relation between two key bits and j^^, that is, 
JL ®jL = © ■ [From Eq. ( 1) we can see that either j^^ = , j^^ = 

or jk^ = Sfe^, Jr^ = holds.] Therefore, with the knowledge of {sk^ ® Sr^} 
and {Jr^}, Bob r can easily get the key bits {jk^} of Bob k by calculating 
JL = ® © jvm each m. 

(v) Bob r cheats when Ahce collects the solutions. Obviously, with the help 
of {ifc^}. Bob r can decrypt the message sent from Bob k to Ahce and copy 
Bob A;'s solution at will. 

By this strategy, a dishonest student can steal any other examinees' solutions. 
Moreover, the eavesdropping is not difficult to realize because it needs only 
facilities similar to that of the legal parties. One may argue that, in the above 
example, if Bob r is far away from the quantum channel between Alice and 
Bob k he cannot continually perform the two CNOT operations in a certain 
time. In fact there is no need to worry about it. Bob r does not need to 
take a round trip between his and Bob /c's quantum channels. He can ask his 
friend, say Charlie, who stands in Bob /c's channel, to perform the first CNOT 
operation Cfe^g^ and then send the ancilla to him. 

There is a fact which should be pointed out. That is, the one who will legally 
take part in the protocol is prone to be omitted when we analyze various attack 
strategies. In fact, in most MQKD protocols (e.g. quantum secret sharing, see 
[10] and references therein), a participant generally has more power to attack 
than an outside eavesdropper because the participant can take advantage of 
the right to access the carrier state partly and participate in the process of 
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eavesdropping detection. We call this kind of attack "participant attack" . In 
the quantum exam protocols, as we can see, the eavesdropping result {s^^ © 
Sr^} does not seem to have much meaning for an outside eavesdropper, but it is 
very useful for a participant Bob to eavesdrop further. Therefore, as implied in 
Refs.[ll,12,13], the main goal for the security of an MQKD should be focused 
on preventing the dishonest participant from eavesdropping the information. 

Now we discuss how to improve the quantum exam protocol to prevent this 
kind of participant attack. To retain the features of the original quantum exam 
protocol, our aim is to modify it as little as possible. Since the fundamental 
reason of this threat is the speciahty of |$)ai...iv, i-e., "correlation elicitable", 
Alice can insert some different check qubits to detect the above attack. For 
example, before Alice sends the sequences to Bobs, she inserts a certain number 
of single qubits into each sequence in random positions. All these single qubits 
are randomly in one of the states {|+), |— )} [14]. Note that the positions of the 
single qubits in these sequences are different from each other. After all Bobs 
received their respective sequences, Alice tells each Bob the positions of these 
check qubits and lets him measure them in the basis B^. Then Alice and Bob 
check the identity of these qubits. If the error rate is low enough, they proceed 
with other steps in the original protocol to finish the quantum exam. Because, 
for the dishonest Bob, both the single qubits and the qubits from \^)ai...N 
are in maximally mixed state p — |(|0)(0| + he cannot distinguish the 

check qubits from others. Therefore, when the dishonest Bob wants to cheat 
using above strategy, he would introduce errors with probability | once he 
performs a CNOT operation on a certain check qubit and his ancilla. As a 
result, the improved protocol can stand against the above participant attack. 
Furthermore, the main frame of the original protocol is retained and it follows 
that the security against other kinds of attacks (such as measure-resend attack, 
disturbance attack, entangle-measure attack, etc. [9]) still holds. 

In conclusion, we show that a dishonest student can cheat in the quantum 
exam [9] and give a possible improvement by inserting some additional check 
qubits in each sequence. We emphasize that the participant attack should 
not be overlooked when we discuss the security of a MQKD scheme, which 
generally possesses more power in eavesdropping than the attack from outside. 
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